Timico - possible database hack?

I have just received three malicious emails with attachments on an email address SPECIFIC TO and ONLY used for Timico. Absolutely nobody else has ever been given the particular email address. I use different addresses for everybody so that I can track and tackle fraud and stop spam and it has been successful for some years until now.

This means either Timico are selling on user details, which I doubt OR even worse that their user database has been hacked. I should not have to spell out exactly what that could mean and the danger, if that is the case, it could put all Timico users in, particularly bank account details, home addresses, telephone numbers etc.

This could only be me but if you think it's happened to you please contact Timico support immediately and post to this forum to alert others.

Did the email mention you personally? Could just be some random spam getting send out to randomly generated email addresses and they got lucky

In reply to a post by My_brain_hurts:

This means either Timico are selling on user details, which I doubt OR even worse that their user database has been hacked.

or your own email system has leaked the address.

In reply to a post by ggremlin:

In reply to a post by My_brain_hurts:

This means either Timico are selling on user details, which I doubt OR even worse that their user database has been hacked.

or your own email system has leaked the address.

That is highly unlikely.

I use the same strategy and mine is implemented using wildcards. My server doesn't have any knowledge of incoming addresses. Something that scanned my mailbox could get those addresses but only if it chose to look in the 'to:' field which would be a strange thing for it to do since it already had access to my mailbox. It could also get those addresses by scanning the server log files but that's yet another magnitude of unlikely.

In any case knowing how spam works if something has harvested the OP's incoming addresses they should be seeing a lot more spam. No-one sells just one address. Everything gathered from the OP's server should now be being targeted.

Edited by Andrue (Tue 01-Dec-15 22:24:25)

In reply to a post by bobble_bob:

Did the email mention you personally? Could just be some random spam getting send out to randomly generated email addresses and they got lucky

Well that depends how the OP generates addresses but it seems unlikely. Most people doing this use a wildcard system. Typically an address will consist of a known value and the bit that varies eg;

<contact name>.mymailbox@...

In order to get random spam the name generator has to have finally hit on something that ends with '.mymailbox'. Once they do that anything will go through eg 'a.mymailbox@', 'b,mymailbox@' etc. It'd be a pretty bizarre name generator that happened to try 'timico.mymailbox@' on it's first attempt.

The alternative strategy is to use the standard '+' notation supported by most servers eg;

mymailbox+timico@...

And again you have to ask what kind of random generator only picked 'mymailbox+timico' when 'mymailbox+aaaaa' is just as valid.

Edited by Andrue (Tue 01-Dec-15 22:35:39)

I believe the OP was with Coms before Timico bought them out. Perhaps they had his email address aswell?

In reply to a post by bobble_bob:

I believe the OP was with Coms before Timico bought them out. Perhaps they had his email address aswell?

Oh aye that's possible. All I'm saying is that this naming system makes it almost certain that blame for this can be laid on a third party.

As for how..there are several ways. Could just be careless use of CC or perhaps one of their suppliers needs the emails of users for some reason. One way or the other it still lays blame on Timico. It just might not be as serious as a data breach.

Edited by Andrue (Tue 01-Dec-15 22:44:10)

Its surprising how people can get your email and phone number. Im very careful about who has my details and always tick the "dont sell to 3rd parties box", yet ive had phone calls from PPI companies who know my full name. So someone sells them the data either illegally or by not making it easy for you to opt out of them selling your details

Your full name and address is on the electoral register.

Edited by RobertoS (Tue 01-Dec-15 23:32:21)

My mobile number isnt though and thats what they rang me on